Fortifying Data Privacy and Security in Law Firms and Courts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lawtechnologynews.com/id=1202677111995/Fortifying-Data-Privacy-and-Security-in-Law-Firms-and-Courts?slreturn=20141021181858

The Georgetown Law Advanced E-Discovery Institute at The Ritz-Carlton
inTysons Corner, McLean, Va., featured a popular panel entitled “Data
Privacy and Security: Substantive Claims and E-Discovery Issues Abound.” It
was standing room only. The panelists covered data protection policies at
law firms, vendors and courts, among other subjects.

Timothy Opsitnick, founder and general counsel of Jurinnov, moderated the
hour-and-fifteen-minute long panel. Speakers included: Magistrate Judge
Andrew Peck, for the U.S. District Court for the Southern District of New
York; Annika Martin, partner at Lieff Cabraser Heimann & Bernstein; David
Shonka, principal general counsel at the U.S. Federal Trade Commission; and
Lisa Sotto, partner at Hunton & Williams.

Law firms have sensitive data to protect, such as the merger and
acquisition information of their clients. Protecting data should be
“dynamic,” said the FTC’s Shonka, noting that it’s a minute-to-minute
endeavor. “[Data-security] is a non-stop process,” Shonka said.

Law firms cannot be held to different standards than corporate, government
entities or other organizations, said Shonka. If a law firm possesses data
it must be protected, he said, noting that firms can be liable under
personal injury law if client data are compromised. A solid data protection
policy is implemented firmwide and includes monitoring and auditing by
outside vendors, with comeuppances for employees not adhering to the
policy, Shonka said. A breach response plan is also necessary, he said, as
there are several instances that could spark an incident (e.g., disgruntled
employee, lost laptop, etc.).

Data security is generally not a concern for producing parties in an
e-discovery matter, noted Lieff Cabraser’s Martin.

Data privacy is primarily practiced in large firms, Peck noted, saying that
some small firms and solo practitioners have never contemplated computer
security. In most instances the tremendous price tag of securing data
privacy would be impractical for solo practitioners. In his role as judge,
Peck would almost never warn  parties about potential data risks, he said.
He did note that if there was extremely sensitive information that was at
risk of being hacked he potentially might ask the parties if they’ve
considered the possibility of a data breach.

Service providers have an obligation to care for data too, said Sotto.
Venders shouldn’t use client data for purposes other than fulfilling client
needs, Sotto said, noting that vendors can be vetted by on-site visits and
third-party audits. Vendors should also screen their employees with
background checks, she said.

Data security in the 2nd district court, said Peck, includes storing
documents under seal in a vault and not incorporating them in the
electronic court record. If in electronic form, the sealed data would only
be at risk if there was a break in at the court, he said. Information not
under seal is open for public access. Cell phones are also not allowed in
the court, Peck said. If a lawyer has a New York State Bar Association
identification card, he or she will be permitted to bring a single cell
phone into the court, he said. This policy eliminates the risk of tweeting
jurors, said Peck.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!